b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n     CONTROLS OVER THE FLEXIPLACE\n PROGRAM AND PERSONALLY IDENTIFIABLE\n    INFORMATION AT HEARING OFFICES\n\n       June 2010   A-08-09-19079\n\n\n\n\nAUDIT REPORT\n\x0c                                                      Mis s io n\nBy c o n d u c tin g in d e p e n d e n t a n d o b je c tive a u d its , e va lu a tio n s a n d in ve s tig a tio n s ,\nwe in s p ire p u b lic c o nfid e n c e in th e in te g rity a n d s e c u rity o f S S A\xe2\x80\x99s p ro g ra m s a n d\no p e ra tio n s a n d p ro te c t th e m a g a ins t fra u d, wa s te a n d a b us e . We p ro vid e tim e ly,\nu s e fu l a n d re lia b le info rm a tio n a n d a d vic e to Ad m in is tra tio n o ffic ia ls , Co n g re s s\na n d th e p u b lic .\n\n                                                    Au th o rity\nTh e In s p e c to r Ge n e ra l Ac t c re a te d in d e p e n d e n t a u d it a n d in ve s tig a tive u n its ,\nc a lle d th e Offic e o f Ins p e c to r Ge n e ra l (OIG). Th e m is s io n o f th e OIG, a s s p e lle d\no u t in th e Ac t, is to :\n\n   \xef\x81\xad Co n d u c t a n d s u p e rvis e in d e pe n d e n t a n d o b je c tive a u d its a n d\n     in ve s tig a tio n s re la ting to a g e n c y p ro g ra m s a n d o p e ra tio n s .\n   \xef\x81\xad P ro m o te e c o n o m y, e ffe c tive n e s s , a n d e ffic ie n c y with in th e a ge nc y.\n   \xef\x81\xad P re ve n t a n d d e te c t fra u d , wa s te , a n d a b u s e in a ge n c y p ro g ra m s a n d\n     o p e ra tio n s .\n   \xef\x81\xad Re vie w a n d m a ke re c o m m e n d a tio n s re ga rd in g e xis tin g a n d p rop o s e d\n     le g is la tio n a n d re g u la tio n s re la tin g to a g e n c y p ro g ra m s a n d o p e ra tio n s .\n   \xef\x81\xad Ke e p th e a ge n c y h e a d a n d th e Co n g re s s fu lly a n d c u rre n tly in fo rm e d o f\n     p ro b le m s in a g e n c y p ro g ra m s a n d o pe ra tio n s .\n\n   To e n s u re o b je c tivity, th e IG Ac t e m p owe rs th e IG with :\n\n   \xef\x81\xad In d e p e n d e n c e to d e te rm in e wha t re vie ws to p e rfo rm .\n   \xef\x81\xad Ac c e s s to a ll in fo rm a tio n n e c e s s a ry fo r th e re vie ws .\n   \xef\x81\xad Au th o rity to p u b lis h fin d in g s a n d re c o m m e n d a tio n s b a s e d o n th e re vie ws .\n\n                                                       Vis io n\nWe s trive fo r c o n tin u a l im p ro ve m e n t in S S A\xe2\x80\x99s p ro g ra m s , o p e ra tio n s a n d\nm a n a g e m e n t b y p ro a c tive ly s e e kin g n e w wa ys to p re ve n t a n d d e te r fra u d , wa s te\na n d a b u s e . We c o m m it to in te g rity a n d e xc e lle n c e b y s u p p o rtin g a n e n viro n m e n t\nth a t p ro vid e s a va lu a b le p u b lic s e rvic e while e nc o u ra g in g e m p lo ye e d e ve lo p m e n t\na n d re te n tio n a n d fo s te rin g d ive rs ity a n d in n o va tio n .\n\x0c                                            SOCIAL SECURITY\nMEMORANDUM\n\nDate:      June 9, 2010                                                              Refer To:\n\nTo:        The Commissioner\n\nFrom:      Inspector General\n\nSubject:   Controls over the Flexiplace Program and Personally Identifiable Information at Hearing\n           Offices (A-08-09-19079)\n\n\n           OBJECTIVE\n           Our objective was to assess controls over the Flexiplace program (Flexiplace), including\n           personally identifiable information (PII), at Office of Disability Adjudication and Review\n           (ODAR) hearing offices.\n\n           BACKGROUND\n           ODAR\xe2\x80\x99s hearing offices conduct due-process hearings and issue decisions on appealed\n           determinations involving Old-Age, Survivors and Disability Insurance and Supplemental\n           Security Income. ODAR employs over 1,300 administrative law judges (ALJ) and more\n           than 6,000 support staff, which includes attorney advisors, paralegals, and legal\n           assistants. Among other duties, ODAR support staff conducts initial case\n           screening/preparation and pre-hearing case analysis, develops additional evidence, and\n           prepares notices and decisions for claimants.\n\n           Negotiated agreements between the Social Security Administration (SSA) and its\n           unions established Flexiplace for ODAR bargaining unit employees.1 Flexiplace allows\n           qualified hearing office staff to perform assigned work at a management-approved\n           alternate duty station (ADS), which is typically their personal residence. As such,\n           employees who participate in Flexiplace take claimants\xe2\x80\x99 case files to their ADS. These\n           case files can be in paper form or stored on portable devices, such as compact discs\n           (CD) and laptop computers,2 and generally include claimants\xe2\x80\x99 PII\xe2\x80\x94Social Security\n           numbers (SSN), names, addresses, earnings information, and medical histories.\n\n\n\n           1\n            Employees we interviewed were represented by the International Federation of Professional and Technical\n           Engineers, National Treasury and Employees Union, and American Federation of Government Employees.\n           2\n             Hearing office employees we interviewed, other than legal assistants, generally stored claimant case file\n           information on CDs.\n\x0cPage 2 - The Commissioner\n\n\nAccording to an ODAR survey, approximately 2,037 (29 percent) of its 6,992 employees\nworked Flexiplace at least 1 day per week in Calendar Year 2008. 3\n\nSSA requires that employees who participate in Flexiplace sign, and abide by, the\nnegotiated Flexiplace Program Agreement. While Flexiplace Program Agreements vary\ndepending on the union and/or job position, they share certain basic requirements. For\nexample, SSA requires that Flexiplace employees adhere to all applicable Agency\npolicies and procedures. As such, SSA holds Flexiplace employees accountable for\nsafeguarding Agency records and any PII in their possession.\n\nTo accomplish our objective, we selected 20 hearing offices. At each office, we\nrandomly selected and interviewed hearing office employees who participated in\nFlexiplace in Calendar Year 2008 as well as group supervisors. We also interviewed\neach office\xe2\x80\x99s director and chief ALJ. In total, we interviewed 135 hearing office\nemployees 4 and 75 managerial staff. 5 The scope of our review involved ODAR\nemployees working Flexiplace. Therefore, we did not examine ODAR practices for\nemployees who remove case files to temporary duty sites, such as remote hearing\nlocations. See Appendix B for additional information on our scope and methodology.\n\nRESULTS OF REVIEW\nWhile SSA had implemented some preventative measures to safeguard PII removed\nfrom its premises, we determined ODAR practices may have exposed claimant data to\nunauthorized disclosure. For example, ODAR allowed employees to remove PII stored\non unencrypted 6 CDs. In addition, ODAR employees did not always comply with SSA\xe2\x80\x99s\npreventative controls, such as locking claimant PII, when traveling to, or working at, an\nADS. We also determined that ODAR did not always identify the removal, and confirm\nthe return, of PII. We believe ODAR should identify opportunities to better monitor\nemployee compliance and strengthen Flexiplace controls, where practicable.\n\nAccording to most ODAR employees we interviewed, SSA\xe2\x80\x99s Flexiplace program has\nhad a positive impact on their morale or helped them work more effectively at home\nbecause of fewer interruptions. While we are pleased to report these results, we also\nrecognize there are inherent risks in the Flexiplace program because some\n3\n We obtained these numbers from ODAR\xe2\x80\x99s Calendar Year 2008 Region-Wide Telework Survey and\nSSA\xe2\x80\x99s Office of Human Resources, respectively. The 6,992 figure includes both regional and hearing\noffice employees. We did not determine whether each employee participated in Flexiplace for the full\nyear.\n4\n  We randomly selected 136 employees to interview. However, one ALJ declined to participate in our\nreview.\n5\n Managerial staff included chief ALJs, hearing office directors, and group supervisors. Although chief\nALJs can participate in Flexiplace, we treated them as managerial staff because they are responsible for\ncertain administrative issues concerning ALJs in their offices.\n6\n Encryption is one method used to achieve security for data stored electronically. Encryption software\nconverts data into a secret code so they are not easily understood, except by authorized users.\n\x0cPage 3 - The Commissioner\n\n\nvulnerabilities are outside SSA\xe2\x80\x99s control. That is, SSA has limited ability to control or\ndetect how employees transport, store, or use PII when they work Flexiplace. As such,\nthe Agency is at risk for unauthorized disclosure or intentional misuse of claimant PII\nand must weigh risks against costs and benefits before implementing additional\ncontrols.\n\nODAR\xe2\x80\x99S PRACTICES DID NOT ADEQUATELY SAFEGUARD CLAIMANT DATA\nREMOVED FOR FLEXIPLACE\n\nODAR\xe2\x80\x99s practices over PII did not properly protect claimant data that Flexiplace\nemployees removed. For example, ODAR management at 17 (85 percent) of the\n20 hearing offices we visited allowed Flexiplace employees to remove electronic PII that\nwas stored on unencrypted CDs. As long as employees placed claimants\xe2\x80\x99 electronic\ndata in a locked container, ODAR considered the employees to be taking proper steps\nto secure PII. However, we do not believe such controls are sufficient because PII\nremains vulnerable to unauthorized disclosure when it is \xe2\x80\x9csecured\xe2\x80\x9d in such ways.\n\nThe Office of Management and Budget (OMB) requires that Federal agencies encrypt\nall data on mobile computers/devices, unless the data are not sensitive. 7 To address\nOMB\xe2\x80\x99s requirement, SSA implemented a policy that requires employees use\nAgency-approved encrypted or password-protected electronic devices when PII is\nremoved in electronic form. 8 If device encryption is not possible, SSA requires that\nemployees encrypt or password-protect the electronic files. 9 However, the Agency\xe2\x80\x99s\ncurrent encryption process is incompatible with the computer application 10 ODAR uses\nfor electronic claimant records. In addition, ODAR staff we interviewed told us they\ncould not password-protect electronic files saved to CDs. While SSA is working on an\nencryption solution for ODAR, we believe ODAR needs to adequately safeguard\nclaimants\xe2\x80\x99 electronic data by requiring that employees save PII to an encrypted and\npassword-protected laptop\xe2\x80\x94at least until the Agency implements a complete encryption\nsolution.\n\nWe realize storing electronic PII on password-protected laptops will not diminish all risks\nin the Flexiplace program. However, three hearing offices we visited recognized the\nvulnerability of employees removing PII on unencrypted CDs and no longer allow\nemployees to remove CDs for Flexiplace.\n\n\n\n\n7\n    OMB, M-07-16, Attachment 1 \xc2\xa7 C., May 22, 2007.\n8\n SSA, Safeguarding Personally Identifiable Information (PII) While in Electronic or Physical Transit or\nOutside of Secure SSA Space, page 3, February 21, 2008.\n9\n    Id.\n10\n  ODAR\xe2\x80\x99s computer application, eView, enables employees who process claimants\xe2\x80\x99 disability cases to\nview the information in electronic form.\n\x0cPage 4 - The Commissioner\n\n\nFLEXIPLACE EMPLOYEES DID NOT ALWAYS COMPLY WITH AGENCY POLICIES\nWHEN REMOVING PII FROM THE WORKPLACE\n\nODAR employees did not always adequately secure or properly safeguard PII when\nworking Flexiplace. While SSA has limited capabilities to reduce inherent risks in\nFlexiplace, it has implemented policies and directives to minimize the opportunity for\nunauthorized disclosure. For example, SSA requires that employees make every\nreasonable effort to secure and lock PII and electronic devices during transport and at\ntheir ADS. 11 SSA also requires that employees self-report the disposal of PII at their\nADS to their managers. 12 Managers must then ensure these employees destroyed PII\nin an SSA-approved manner. 13\n\nWe determined that 5 (about 4 percent) of the 135 hearing office employees interviewed\nplaced case file information, which contained PII, in an unlocked case or envelope when\ntraveling. We also learned that employees did not always secure PII while at their ADS.\nFor instance, employees told us they placed PII in a travel bag, bookcase, or in their\nbasement instead of locking it in a drawer or cabinet. In fact, 5 (about 4 percent) of the\n135 employees we interviewed believed that \xe2\x80\x9clocking the house\xe2\x80\x9d was adequate\nprotection. Moreover, we learned that an employee left claimant files containing PII in a\ncar overnight. Later, he discovered that someone had broken into his garage and\nstolen his car. Fortunately, the car and files were recovered, and it appeared there was\nno disclosure of sensitive data. Additionally, we learned that four employees shredded\ndocuments 14 or CDs that contained PII at their ADS, but their managers had not\napproved the disposals.\n\nWe recognize that SSA\xe2\x80\x99s PII policies and procedures can only be effective if employees\nstrictly adhere to them. Further, we believe it is SSA\xe2\x80\x99s responsibility to protect\nclaimants\xe2\x80\x99 PII, to the maximum extent possible, from unauthorized disclosure.\nAccordingly, SSA should reemphasize to its employees the importance of\nunderstanding and following all PII policies and directives. In addition, SSA should take\ndisciplinary action, such as suspending Flexiplace, for those employees who do not\ncomply with its PII requirements.\n\n\n\n\n11\n SSA, Safeguarding Personally Identifiable Information (PII) While in Electronic or Physical Transit or\nOutside of Secure SSA Space, Supra at page 2.\n12\n     Id.\n13\n     SSA, Safeguarding Personally Identifiable Information (PII), pages 1, 2, and 5, February 14, 2008.\n14\n  The employees told us these documents were not originals\xe2\x80\x94that is, the employees created the\ndocuments specifically for Flexiplace work.\n\x0cPage 5 - The Commissioner\n\n\nODAR COULD STRENGTHEN CONTROLS FOR TRACKING PII REMOVED FOR\nFLEXIPLACE\n\nWhile Agency policy requires that management closely monitor employee removal of PII\nfrom its premises, 15 we do not believe ODAR\xe2\x80\x99s practice always confirmed Flexiplace\nemployees\xe2\x80\x99 removal and return of PII. SSA requires that management maintain a\ntracking log to identify PII that employees take to an ADS. 16 ODAR\xe2\x80\x99s logs generally\ninclude the employee\xe2\x80\x99s name, claimant\xe2\x80\x99s name and SSN, reason for the PII removal,\nand dates removed and returned. However, most hearing offices we visited did not\ntrack the type of medium containing PII that employees removed. In addition, instead of\nphysically confirming that employees returned PII\xe2\x80\x94that is, their CDs, laptops, or paper\nfiles\xe2\x80\x94ODAR managers often relied on employees\xe2\x80\x99 completed log sheets or case status\nin its Case Processing and Management System. 17\n\nWe believe ODAR has the opportunity to strengthen its controls for tracking PII. In fact,\nwe determined that one hearing office\xe2\x80\x99s group supervisor accounted for electronic PII\nhis employees removed. The group supervisor told us he personally provided CDs to\nFlexiplace employees and required that they bring the CDs to him upon their return to\nwork.\n\nWe recommend that SSA consider establishing additional procedures to identify and\naccount for media that ODAR employees take to their ADS. For example, ODAR\xe2\x80\x99s\ntracking log could include the type of medium removed. In addition, ODAR managers\ncould verify that Flexiplace employees physically returned the medium containing the\nPII.\n\nSSA SHOULD SEEK OPPORTUNITIES TO BETTER MONITOR ODAR EMPLOYEES\xe2\x80\x99\nCOMPLIANCE WITH PII REQUIREMENTS\n\nWe believe SSA should improve monitoring of ODAR employees\xe2\x80\x99 compliance with\nFlexiplace requirements and seek opportunities to reduce risks of unauthorized\ndisclosure of PII. For example, SSA could require that ODAR periodically verify that\nFlexiplace employees place claimant files in a locked container before they travel to an\nADS. SSA could also determine whether deterrent controls, such as ADS inspections, 18\nwould enhance ODAR employees\xe2\x80\x99 compliance. Although inspecting ADSs cannot\nassure SSA that ODAR employees will properly secure claimant PII when at their ADS,\nit will confirm their ADS is equipped with a lockable device. During our review, we found\nthat 11 (55 percent) of the 20 hearing offices we visited inspected employees\xe2\x80\x99 ADSs.\n\n15\n     SSA, Information Systems Security Handbook, Chapter 22, \xc2\xa7 22.4.\n16\n SSA, Safeguarding Personally Identifiable Information (PII) While in Electronic or Physical Transit or\nOutside of Secure SSA Space, Supra at page 2.\n17\n   ODAR\xe2\x80\x99s Case Processing and Management System is a Web-based system that allows management\nto determine, among other things, the current status of each case.\n18\n     ODAR employees\xe2\x80\x99 Flexiplace Program Agreements allow management to conduct ADS inspections.\n\x0cPage 6 - The Commissioner\n\n\nEmployee transportation and storage of claimant data for Flexiplace presents unique\nchallenges\xe2\x80\x94and additional controls will not diminish all risks related to unauthorized\ndisclosure or intentional misuse of claimant PII. However, we believe the Agency\nshould seek opportunities to reduce risks and implement compensating controls. In\naddition, ODAR should take disciplinary action, such as suspending Flexiplace, for\nthose employees who do not comply with SSA\xe2\x80\x99s PII requirements.\n\nCONCLUSION AND RECOMMENDATIONS\nSSA faces a unique challenge in safeguarding and monitoring sensitive data ODAR\nemployees remove while working Flexiplace. Although SSA implemented certain\npolicies and directives to protect claimant PII removed from its premises, these controls\ncan only be effective if they are adequate and employees comply. We recognize SSA\xe2\x80\x99s\nefforts cannot eliminate all risks. Nonetheless, we believe SSA has a stewardship\nresponsibility to minimize security risks inherent in the Flexiplace program, when\nfeasible, and ensure employee compliance with all PII policies and directives.\n\nAccordingly, we recommend that SSA:\n\n1. Require that ODAR employees store electronic PII on an encrypted and\n   password-protected laptop when working Flexiplace, until such time as a CD\n   encryption solution for ODAR is developed.\n\n2. Reemphasize to ODAR employees the importance of complying with all Agency PII\n   policies and directives.\n\n3. Consider implementing additional procedures to account for the removal and return\n   of PII.\n\n4. Improve monitoring of ODAR employees\xe2\x80\x99 compliance with Flexiplace requirements.\n   In addition, ODAR should take disciplinary action, such as suspending Flexiplace,\n   for those employees who do not comply.\n\nAGENCY COMMENTS\nSSA generally agreed with our recommendations. The Agency\xe2\x80\x99s comments are\nincluded in Appendix C.\n\x0cPage 7 - The Commissioner\n\n\nOTHER MATTERS\nHearing Office Management Needs to Improve Its Maintenance of SSA\xe2\x80\x99s\n7-B Employee Record Extension Files\n\nWe determined that hearing office management did not always comply with Agency\npolicy regarding SSA\xe2\x80\x99s 7-B Employee Record Extension File (7-B File) for staff. SSA\npolicy requires that supervisors maintain a 7-B File for each employee. 19 Employee\n7-B Files should include approved Flexiplace Requests, performance appraisals,20 and\nemployee-signed annual acknowledgment statements on Systems Sanctions and\nSafeguarding PII. 21\n\nDuring our review, hearing office management could not locate one employee\xe2\x80\x99s\n7-B File, while others\xe2\x80\x99 7-B Files were incomplete. We also identified 66 incidences\nwhere management either did not retain or did not ensure that employees\xe2\x80\x99 current\nSystems Sanctions and Safeguarding PII acknowledgment statements were in their\nrespective 7-B Files. 22 Additionally, three employees\xe2\x80\x99 7-B Files did not contain their\nperformance appraisals. Moreover, hearing office management did not always retain\nemployees\xe2\x80\x99 Flexiplace Agreements or their Agreements were incomplete.\n\nWe encourage SSA to take steps to ensure that management properly maintains\nemployees\xe2\x80\x99 7-B Files.\n\nHearing Office Managers Were Unclear on Retention Period for PII Logs\n\nIt appears that hearing office managers were unclear on how long they should retain PII\nlogs. Policy requires that management retain PII logs for 2 years.23 However, in the\n\n\n\n\n19\n     SSA, Personnel Policy Manual, Chapter S293_1, \xc2\xa7 4.1.2.\n20\n     SSA, Personnel Policy Manual, Chapter S293_4, Exhibit 1.\n21\n  The two documents are SSA\xe2\x80\x99s Agency Policy for Systems Access, Table of Penalties for Violations and\nAcknowledgement Statement by Employees and Annual Reminder on Safeguarding Personally\nIdentifiable Information (PII) for SSA Employees. SSA, Security Reminders for Managers, May 2009,\npage 3.\n22\n  Of the 66 incidences identified, 43 pertained to the Safeguarding PII document and 23 concerned the\nSystems Sanctions document. Some employees\xe2\x80\x99 7-B File did not contain both documents, while others\xe2\x80\x99\nmay have lacked only one of these documents.\n23\n  SSA, Memorandum, PII Log Disposal \xe2\x80\x93 INFORMATION, August 19, 2008, and SSA, Information\nSystems Security Handbook, Chapter 19, \xc2\xa7 19.3 D.\n\x0cPage 8 - The Commissioner\n\n\nevent of PII loss, policy further instructs management to store the logs and information\npertaining to the loss, such as the incident report and the Change, Asset, and Problem\nReporting System number, 24 for 7 years. 25\n\nManagement at 3 (15 percent) of the 20 hearing offices we visited told us they stored\nPII logs fewer than 2 years. In fact, one hearing office director told us his office did not\nmaintain a log any longer than what is needed to confirm the file has been returned. He\nfurther stated that the office did not maintain PII logs for ALJs.\n\nTo ensure the Agency can properly track PII that Flexiplace employees remove, we\nbelieve it is important that management maintain PII tracking logs on all who participate\nin Flexiplace for the time period required. Therefore, we encourage SSA to clarify the\nretention period for PII logs with hearing office managers.\n\n\n\n\n                                                        Patrick P. O\xe2\x80\x99Carroll, Jr.\n\n\n\n\n24\n  SSA\xe2\x80\x99s Network Customer Service Center assigns a Change, Asset, and Problem Reporting System\nnumber when management or staff reports a PII loss. If additional or updated information on the incident\nbecomes available, managers provide the Network Customer Service Center with this number to update\nthe particular case.\n25\n     Id., and SSA, Information Systems Security Handbook, Appendix V.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Agency Comments\nAPPENDIX D \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                            Appendix A\n\nAcronyms\n7-B File     7-B Employee Record Extension File\nADS          Alternate Duty Station\nALJ          Administrative Law Judge\nCD           Compact Disc\nFlexiplace   Flexiplace Program\nODAR         Office of Disability Adjudication and Review\nOIG          Office of the Inspector General\nOMB          Office of Management and Budget\nPII          Personally Identifiable Information\nSSA          Social Security Administration\nSSN          Social Security Number\n\x0c                                                                                   Appendix B\n\nScope and Methodology\nTo accomplish our objective, we:\n\xe2\x80\xa2     Reviewed pertinent sections of the Social Security Administration\xe2\x80\x99s (SSA) policies\n      and procedures pertaining to the Flexiplace program (Flexiplace) and safeguarding\n      personally identifiable information (PII). 1\n\xe2\x80\xa2     Identified the two hearing offices in each region with the highest percentage of\n      Flexiplace participation in Calendar Year 2008 for our site visits. 2 The hearing\n      offices we visited are shown in Table B-1.\n                        Table B-1: Hearing Offices Visited by Region\n\n                            Region                  Hearing Office Location\n                  1                       New Haven, Connecticut\n                                I\n                  2                       Portland, Maine\n                  3                       Voorhees, New Jersey\n                                II\n                  4                       Newark, New Jersey\n                  5                       Harrisburg, Pennsylvania\n                                III\n                  6                       Seven Fields, Pennsylvania\n                  7                       Birmingham, Alabama\n                                IV\n                  8                       Paducah, Kentucky\n                  9                       Detroit, Michigan\n                                V\n                 10                       Oak Park, Michigan\n                 11                       Fort Worth, Texas\n                                VI\n                 12                       Dallas North, Texas\n                 13                       Creve Coeur, Missouri\n                               VII\n                 14                       Kansas City, Missouri\n                 15                       Fargo, North Dakota\n                               VIII\n                 16                       Billings, Montana\n                 17                       Stockton, California\n                                IX\n                 18                       Phoenix, Arizona\n                 19                       Seattle, Washington\n                                X\n                 20                       Spokane, Washington\n\n\n\n\n1\n The scope of our review was limited to Flexiplace. As such, we did not examine the Office of Disability\nAdjudication and Review\xe2\x80\x99s (ODAR) controls in place or employees\xe2\x80\x99 PII practices at temporary duty sites,\nsuch as remote hearing locations.\n2\n    We obtained this information from SSA\xe2\x80\x99s ODAR and Office of Human Resources.\n\n\n                                                   B-1\n\x0c\xe2\x80\xa2     Randomly selected two employees per position to interview, if there were at least\n      two employees in that position who participated in Flexiplace. We also randomly\n      selected two group supervisors to interview, if there were at least two in the position.\n      We also interviewed hearing office directors and chief administrative law judges\n      (ALJ), provided there was one. 3 Table B-2 provides the number of hearing office\n      employees and management we interviewed. One ALJ declined to participate in our\n      review.\n                         Table B-2: Employees Interviewed Per Position\n                                                            Number of Employees\n                                 Position                       Interviewed\n                       ALJ                                             33\n                       Attorney Advisor                                35\n                       Paralegal                                       29\n                       Legal Assistant                                 38\n                       Total Employees                               135\n                       Group Supervisor                                36\n                       Hearing Office Chief ALJ                        19\n                       Hearing Office Director                         20\n                       Total Management                                75\n                       GRAND TOTAL                                   210\n\n\xe2\x80\xa2     For each employee interviewed, we examined his/her SSA 7-B Employee Record\n      Extension File to identify whether management retained employees\xe2\x80\x99 annual\n      acknowledgment statements 4 and Flexiplace documents.\n\nOur review of internal controls was limited to SSA\xe2\x80\x99s policies and directives for protecting\nPII and documenting Flexiplace requests and approvals. We performed our audit at the\nOffice of Audit in Birmingham, Alabama, and selected hearing offices. The data were\nsufficiently reliable to meet our objective.\n\nThe SSA entity audited was the Office of the Chief ALJ under the Deputy Commissioner\nfor ODAR. We conducted this performance audit from May through December 2009 in\naccordance with generally accepted government auditing standards. Those standards\nrequire that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit\nobjective. We believe the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objective.\n\n\n\n3\n    One hearing office did not have an acting chief ALJ at the time of our review.\n4\n  The statements are SSA\xe2\x80\x99s Annual Reminder on Safeguarding Personally Identifiable Information (PII)\nfor SSA Employees and Agency Policy for Systems Access, Table of Penalties for Violations and\nAcknowledgement Statement by Employees.\n\n\n                                                      B-2\n\x0c                  Appendix C\n\nAgency Comments\n\x0c                                         SOCIAL SECURITY\n\n\nMEMORANDUM\n\n\nDate:      May 24, 2010                                                           Refer To:\n\nTo:        Patrick P. O\xe2\x80\x99Carroll, Jr.\n           Inspector General\n\nFrom:      James A. Winn /s/\n           Executive Counselor to the Commissioner\n\nSubject:   Office of the Inspector General (OIG) Draft Report, \xe2\x80\x9cControls Over the Flexiplace Program and\n           Personally Identifiable Information at Hearing Offices\xe2\x80\x9d (A-08-09-19079)\n\n\n           Thank you for the opportunity to review and comment on the draft report. We appreciate OIG\xe2\x80\x99s\n           efforts in conducting this review. Attached is our response to the report findings and\n           recommendations.\n\n           Please let me know if we can be of further assistance. You may direct staff inquiries to\n           Candace Skurnik, Director, Audit Management and Liaison Staff, at (410) 965-4636.\n\n           Attachment\n\n\n\n\n                                                          C-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT, \xe2\x80\x9cCONTROLS OVER THE FLEXIPLACE PROGRAM AND PERSONALLY\nIDENTIFIABLE INFORMATION (PII) AT HEARING OFFICES\xe2\x80\x9d (A-08-09-19079)\n\nWe generally agree with the reported findings and recommendations.\n\nRecently, the Office of Disability Adjudication and Review (ODAR) launched a multi-pronged\nstrategy on PII loss prevention. Specifically, ODAR\xe2\x80\x99s Deputy Commissioner personally issued\nclear PII loss prevention guidance to all ODAR employees and conducted national\nteleconferences, including calls to over 570 Information Technology (IT) staff and managers, all\nRegional Chief Administrative Law Judges (ALJ), and an all-manager call with over\n650 managers. ODAR also kicked-off a national PII loss prevention workgroup to quickly\nreview and revise our loss prevention procedures and policies and to establish standard penalties\nfor employee and contractor PII loss.\n\nAdditionally, ODAR plans to reemphasize the importance of management accountability. For\nexample, ODAR is developing and will soon issue a certification form for all managers to sign,\nacknowledging that: 1) all personal drives have been examined for PII and that extraneous\ninformation has been purged, 2) all employees have a signed and current copy of the Annual\nReminder on Safeguarding Personally Identifiable Information (PII) for SSA Employees on file,\nand, 3) when applicable, all employees have current, signed flexiplace agreements in their\n7B file. Also, ODAR\xe2\x80\x99s Systems Security Branch, in conjunction with the agency\xe2\x80\x99s Office of\nHuman Resources, is developing a stronger PII element for managers\xe2\x80\x99 performance plans. This\nstronger performance element will hold mangers more accountable for protecting PII.\n\nODAR\xe2\x80\x99s managers also regularly exchange PII protection information and best practices. For\nexample, ODAR\xe2\x80\x99s Component Security Officer (CSO) chairs a monthly ODAR Security\nRoundtable meeting which allows Headquarters Security Specialists, the Division of Electronic\nServices, the Division of Information Technology Integration, Regional Supervisory Information\nTechnology Specialists, and Regional Systems Administrators to exchange information that will\nenable them to better protect our claimants\xe2\x80\x99 PII. Actions from these meetings often include\ncommunicating information to regional managers and/or employees.\n\nFinally, ODAR\xe2\x80\x99s Systems Security Branch and CSO actively participate in a variety of agency-\nwide initiatives with the Chief Information Officer\xe2\x80\x99s (CIO) PII staff, which include\ncommunicating SSA policy to all agency employees. Current initiatives include mandatory PII\nawareness training and a poster campaign to promote PII awareness.\n\nOur responses to the specific recommendations are as follows:\n\n\n\n\n                                               C-2\n\x0cRecommendation 1\n\nWe recommend that SSA require that ODAR employees store electronic PII on an encrypted and\npassword-protected laptop when working flexiplace, until such time as a compact disc (CD)\nencryption solution for ODAR is developed.\n\nComment\n\nWe agree with the first part of your recommendation concerning laptops. We now have an\nadequate stock of agency-issued, encrypted, password-protected laptops available to employees\nworking flexiplace, and we transfer electronic PII to those laptops for use at employees\xe2\x80\x99\nalternative duty stations (ADS). As for the second part of your recommendation, we no longer\nneed to develop a \xe2\x80\x9cCD encryption solution.\xe2\x80\x9d We store electronic PII only on approved laptops\nand no longer remove CDs from the office for flexiplace purposes.\n\nWe are taking actions along these lines to protect PII and to phase in a new process.\nSpecifically, we are:\n\n    \xe2\x80\xa2 Reissuing PII policy guidance to reiterate our existing policy that all employees\n      participating in flexiplace must transport electronic PII between the office and their ADS\n      on agency-issued, encrypted, and password-protected laptops.\n\n    \xe2\x80\xa2 Implementing the portable workstation process (PWP) which allows our employees to\n      use their approved laptops as their in-office workstations while connected to our network.\n      While in the office, employees who have PWP download the files they require for\n      flexiplace directly from the network to their laptops. Employees then use those laptops\n      during flexiplace and upload the work that they performed on flexiplace to the network\n      upon their return to the office.\n\n    \xe2\x80\xa2 We have started issuing new laptops with the PWP software, and some employees are\n      using PWP for flexiplace. Until we deploy PWP in all ODAR offices, flexiplace\n      employees who do not have PWP will follow a work-around process and transfer\n      claimants\xe2\x80\x99 electronic files to agency-issued, encrypted, and password-protected Universal\n      Serial Bus (USB) flash drives. While still in the office, they will then transfer the files\n      from the flash drive to their approved encrypted, password-protected laptops. We will\n      secure the USB flash drives in our offices, and they will not leave the premises.\n\nRecommendation 2\n\nWe recommend that SSA reemphasize to ODAR employees the importance of complying with\nall Agency PII policies and directives.\n\n\n\n\n                                               C-3\n\x0cComment\n\nWe agree and are taking a number of steps on this front, starting with management\naccountability. We are developing and will soon issue a certification form that all managers\nmust sign, wherein they acknowledge that:\n\n   \xe2\x80\xa2   All personal drives have been examined for PII and extraneous information has been\n       purged;\n   \xe2\x80\xa2   All employees have a signed, current copy of the Annual Reminder on Safeguarding\n       Personally Identifiable Information (PII) for SSA Employees in their 7-B files, and\n   \xe2\x80\xa2   Where applicable, all employees have current, signed flexiplace agreements in their\n       7-B files.\n\nAlso, ODAR is developing a stronger PII element for managers\xe2\x80\x99 performance plans.\n\nIn 2007, we implemented the Annual Reminder on Safeguarding Personally Identifiable\nInformation (PII) for SSA Employees. We are reemphasizing that employees review and\nunderstand that document as well as the Agency Policy for Systems Access. In addition, ODAR\xe2\x80\x99s\nSystems Security Branch, CSO, and/or Regional Security IT Specialists provide PII security\nawareness training to all new ODAR employees and managers to ensure that they understand\ntheir responsibilities for protecting PII.\n\nWe are also taking other actions to raise awareness and protect PII. Specifically, ODAR\xe2\x80\x99s\nDeputy Commissioner personally issued strict PII loss prevention guidance to all ODAR\nemployees. He conducted national teleconferences with more than 570 IT employees and\nmanagers and all Regional Chief ALJs. He also held an \xe2\x80\x9call-managers\xe2\x80\x9d call with over\n650 participants. In addition, ODAR is leading an effort on PII loss prevention to review and\nrevise its loss prevention procedures and policies and to establish standard penalties for\nemployees who lose PII or fail to adhere to agency PII protection policies.\n\nODAR\xe2\x80\x99s managers also regularly exchange PII protection information and best practices. For\nexample, ODAR\xe2\x80\x99s CSO chairs a monthly \xe2\x80\x9cODAR Security Roundtable\xe2\x80\x9d where key players\nexchange information to promote better protection of PII; they then communicate this\ninformation to regional managers and employees. ODAR also works with other agency\ncomponents on PII issues. For example, it collaborates with the CIO on a variety of initiatives to\nraise PII awareness among all agency employees. This includes an initiative for mandatory PII\ntraining and a poster campaign to promote PII protection.\n\nRecommendation 3\n\nWe recommend that SSA consider implementing additional procedures to account for the\nremoval and return of PII.\n\n\n\n\n                                               C-4\n\x0cComment\n\nWe agree and are improving our controls over the removal and return of PII. We have\nreemphasized to ODAR managers their responsibilities in this area and have instructed them to\nmodify their logs to include all types of media. This includes paper files (paper is still used to a\ngreat extent) and laptops containing PII. As noted under recommendation one, we no longer\nremove from the office CDs, flash drives, or other types of electronic media for flexiplace\npurposes.\n\nWe are making further strides in this area. For example, ODAR\xe2\x80\x99s Division of Security meets\nregularly to explore other options for improvements and in coming months will be taking other\nactions such as issuing new logging procedures. We recognize that procedures must be followed\nconsistently, and ODAR is developing business processes to promote that consistency.\n\nRecommendation 4\n\nWe recommend that SSA improve monitoring of ODAR employees\xe2\x80\x99 compliance with flexiplace\nrequirements. In addition, ODAR should take disciplinary action, such as suspending flexiplace,\nfor those employees who do not comply.\n\nComment\n\nWe agree and have directed our managers to focus their attention on this important task. We are\nalso stressing personal accountability to the employees themselves who participate in flexiplace.\nIn addition, while we already are spot checking flexiplace ADSs, we will examine and revise\nprocedures and adopt a more systematic approach for those efforts. This will include spot checks\nof employees transporting PII and on-site reviews of ADSs.\n\nAs for the disciplinary action you suggest, we already progressively discipline (reprimand,\nsuspension, and removal) employees who do not comply with policies for safeguarding PII. We\nare developing standard penalties and guidance to more effectively utilize that option where\nsituations warrant. Also, as we note in our comments for recommendation two, we have PII loss\nprevention managers meetings where we review policies and consider disciplinary actions for\nsituations where an employee looses PII.\n\nOTHER MATTERS\n\nHearing Office Management Needs to Improve Its Maintenance of SSA\xe2\x80\x99s 7-B Employee\nRecord Extension Files\n\nComment\n\nWe agree. We are reissuing guidelines to ODAR managers and directing them to review\nemployees\xe2\x80\x99 7-B files and certify that each contains the appropriate material. We will complete\nthis by June 30, 2010.\n\n\n\n\n                                                C-5\n\x0cHearing Office Managers Were Unclear on Retention Period for PII Logs\n\nComment\n\nThe ODAR CSO is working with hearing office representatives to review the entire PII logging\nprocess, including the procedures for logging PII for flexiplace, PII logs for ALJs, and log\nretention. Once complete, we will issue updated guidelines to all affected ODAR employees and\nmanagers.\n\n\n\n\n                                            C-6\n\x0c                                                                     Appendix D\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kimberly Byrd, Director\n\n   Theresa Roberts, Audit Manager\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Janet Matlock, Senior Auditor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number\nA-08-09-19079.\n\x0c                            DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government\nReform\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions\nand Family Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                  Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                              Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                           Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c'